By default, the registry on all Windows-based computers is open and available across the network, leaving it vulnerable to would-be hackers. To mitigate this risk, you need to deny remote access to the registry. Mike Mullins tells you how to tweak the registry and your network.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
The registry is the heart of the Windows operating system. But by default, the registry on all Windows-based computers is open and available across the network. A well-informed hacker can use this vulnerability to compromise your organization's systems or modify file relationships and permissions to inject malicious code. To protect your network, you need to deny remote access to the registry.
You can accomplish this via a network access list change and a simple registry fix. Depending on the complexity of your network, you might consider denying remote registry access on the machines themselves.
Editing the registry can be risky, so be sure you have a verified backup before you begin.
Fix the registry
For computers running Windows 2000, Windows XP, and Windows Server 2003, follow these steps:
- Go to Start | Run.
- Enter Regedt32.exe, and click OK.
- If the winreg key is present, skip to Step 8. If this key doesn't exist, go to Edit | Add Key.
- Name the key winreg, and give it a class of REG_SZ.
- Select the new key, and go to Edit | Add Value.
Value: Registry Server
- Select the winreg key, and go to Security | Permissions.
- Make sure the local System Administrators Group has full access, and give read access to the System account and the Everyone group.
- Close the Registry Editor, and restart the computer.
If you have a special group for workstation and server support that isn't a member of your administrators group, you should also grant it the appropriate access permissions.
In addition, if the machine you're making these changes on is a server or if it provides remote services to authorized users, you must allow the service account associated with that service to have read permissions to this key as well.
Fix the network
The registry fix will take care of your internal, authorized needs, but you still need to protect the registry from external and Internet access. Registry exploits are still prevalent among Windows systems, and you should make sure your security strategy addresses these vulnerabilities.
Denying TCP/UDP ports 135, 137, 138, 139, and 445 at the premise router or firewall is the solution. Blocking these ports will not only stop remote registry access—it will also stop most remote attacks against Windows systems.
Shutting down access from the Internet to these ports will instantly boost the security of your Windows networks. However, before blocking these ports, make sure you don't have a business reason to allow external access to these ports.
While there's a Remote Registry service on machines that run Windows 2000, Windows XP, and Windows Server 2003 that you can disable, this isn't always a practical approach for an enterprise network.
|Next Steps: Build your skills with these hand-picked resources|
|Use these scripts to modify a remote registry setting|
|Remote registry administration in Windows XP Professional|
|How to use XP registry edits to restrict applications (TechProGuild)|
|How to use XP registry edits to customize Windows logon and security dialog title (TechProGuild)|